The educational sector has always been a lucrative and vulnerable target for cybercriminals. Storing large amounts of private data, payment information, and sensitive communications, learning institutions are often targeted by hackers. Educational software company, PowerSchool, recently became the target of a data breach where student and teacher information was stolen. In this blog article, we look at how the PowerSchool data breach took place and how it affected schools. We also look at the growing trend of cyber-attacks against the schooling sector and how these organizations can prevent them. For now, let’s get into the main details of the PowerSchool breach.
PowerSchool Data Breach
On the 7th of January, PowerSchool, a prominent education software company, confirmed that a threat actor stole the personal information of students and teachers from school districts using its PowerSchool Student Information System (SIS) platform. This system is used to manage student records, grades, attendance, enrollments, and more. According to multiple school districts, unauthorized access to the software company’s platforms began on the 19th of December and ended on the 28th of December.
In an incident notification sent to customers, the company stated that it became aware of “a potential cybersecurity incident involving unauthorized access to certain information” through its community-focused customer support portal, PowerSource. This platform contains a maintenance access tool that allows PowerSchool engineers to "access Customer SIS instances for ongoing support and to troubleshoot performance issues."
Bleeping Computer reported that the threat actor gained access to the PowerSource portal using compromised credentials and then stole data using an "export data manager" customer support tool. This tool allowed the attacker to export the PowerSchool SIS 'Students' and 'Teachers' database tables to a CSV file – which was then taken. Now, let’s get a better understanding of the impact of the cyber-attack itself.
Impact of the PowerSchool Data Breach
According to PowerSchool, the stolen data includes names, addresses, birth dates, contact information, and more. However, for some districts, the data could also include Social Security numbers (SSNs), personally identifiable information (PII), medical information, and grades. A representative for PowerSchool shared that customer tickets, customer credentials, or forum data were not exposed or exfiltrated in the breach.
The company further stressed that not all PowerSchool SIS customers were impacted by the breach – stating that mainly school districts across Southwestern Pennsylvania may be affected. So far, the total number of schools affected has not been tallied up yet. The company also maintained that the incident was not a ransomware attack or the result of software flaws, but rather a straightforward network break-in.
In another statement released by the company, it maintained that “PowerSchool is not experiencing, nor does it expect to experience, any operational disruption and continues to provide services as normal to our customers.” PowerSchool further states that it has no evidence that other PowerSchool products were affected as a result of this incident.
Penn-Trafford and Franklin Regional school districts were notified of the breach and sent letters to parents noting that student and parent names and addresses may be among the impacted data. Marysville schools, Big Walnut, Westerville, Upper Arlington, and Reynoldsburg were among the schools confirmed to have been affected.
Upper Arlington reported that data from its student and teacher information tables were exported, but noted the district does not use all of the fields available to store information. Reynoldsburg said that only student names and addresses were accessed. Franklin Regional Superintendent Gennaro Piraino said the district does not believe any student medical information was accessed in the breach. The Fox Chapel Area School District released in its statement that it was “extremely disappointed that PowerSchool experienced this unfortunate incident,” and further noted that while the incident occurred within the PowerSchool infrastructure, the district would review its own records independently and would continue to take privacy and data security very seriously.
Multiple school districts have reported that PowerSchool provided video evidence of hackers deleting information. The company states that it does not anticipate any stolen data being duplicated, leaked, or sold. We can now look at how the PowerSchool organizations responded and what is being done following the breach.
What Is Being Done About the PowerSchool Breach?
After becoming aware of the incident, PowerSchool’s cybersecurity response team began working with third-party cybersecurity experts to resolve the situation. The company further deactivated the compromised credentials and restricted all access to the affected portal while also conducting a full password reset and further tightening password and access control for all PowerSource customer support portal accounts. The company assured its customers that affected adults would be offered free credit monitoring, while minors receive subscriptions to an unspecified identity protection service.
PowerSchool also released an FAQ sheet accessible only to customers and plainly revealed that while the incident was not a ransomware attack, the company did pay a ransom to prevent the data from being released. The company stated that it had received “reasonable assurances from the threat actor that the data has been deleted and that no additional copies exist." When asked how much the company had paid, they were unable to provide an answer, stating only that they had received a video showing that the data was deleted.
The platform is still continuously monitoring the dark web to determine if the data has been leaked or will be leaked in the future. However, the organization maintains that its operations remain unaffected, and services continue as usual despite the breach. PowerSchool is now in the process of notifying impacted school districts and will be providing a communications package that includes outreach emails, talking points, and FAQs to help inform teachers and families about the incident. The investigation is ongoing and a finalized report is expected by January 17, 2025. PowerSchool has stated that it is committed to transparency and will share the report with affected school districts when it is ready. To fully understand the scope of the damage, let’s look further into what PowerSchool is and how crucial it is for schools.
What Is PowerSchool and What Is its Role in Schools?
PowerSchool is a cloud-based software solutions platform that is used to organize and navigate student data for K-12 schools and districts. The company provides a range of services to over 60 million students and over 18,000 customers worldwide. These services include platforms for enrollment, communication, attendance, staff management, learning systems, analytics, and finance. PowerSchool also operates Naviance, a platform used by many K-12 districts in the US to offer personalized college, career, and life readiness planning tools to students.
This means that the PowerSchool platform houses a significant amount of student and teacher private information – making it a lucrative target for hackers looking to sell data. Sadly, the educational sector is quite familiar with the plight of these security incidents. Now, let’s look at some of the recent data breaches and cyber-attacks against educational institutions.
Recent Data Breaches in the Educational Sector
According to K12 SIX, there have been at least 325 ransomware attacks on school districts across the United States between April 2016 and the end of November 2022. Clearly, hackers are feeling more comfortable with the idea of stealing student and teacher information.
Minneapolis Public Schools Breach
In early March 2023, Minneapolis Public Schools revealed that an "unauthorized threat actor" had accessed data in its system which led to 300,000 private student files being exposed on the dark web. Medusa, a popular ransomware group, claimed responsibility for the attack on the school and released a video with information – setting a ransom at US$ 1 million. The school district refused to pay the ransom and the data was published. It was later learned that the data leaked included files describing student sexual assaults, psychiatric hospitalizations, abusive parents, truancy — even suicide attempts.
Tucson Unified School District Breach
In January 2023, the Tucson Unified School District was hacked and employee and student data were published on the dark web. The threat actors – going by the name "Royal" cyber gang - had encrypted and copied massive amounts of critical data and then demanded a ransom amount. When the amount was not paid, the hackers released the stolen data on the dark web.
Los Angeles Unified School District Breach
Also in 2023, the Los Angeles Unified School District disclosed that approximately 2,000 of its students’ assessment records were posted on the dark web. The posted records also included an unspecified number of driver’s license numbers and Social Security numbers.
Granite School District Breach
In 2024, the Granite School District confirmed that it had experienced a cybersecurity incident in which the records of 450,000 current and former students were illegally accessed. While only employees were believed to have been affected at first, the school district soon found out that the threat impacted students as well. A district employee accidentally downloaded a corrupt file and allowed others to access a superuser account through the malware in September 2024. A ransom was proposed, but the district refused to pay and the data was later released on the dark web.
Otsego Public Schools Breach
In October 2023, the Otsego Public Schools (OPS) officials posted a notice about a data breach taking place. In October 2024, following a thorough investigation, the school district found out that names, Social Security Numbers, driver’s license numbers, payment information, and other identifiers may have been compromised in the breach.
Each of these incidents only marks the tip of an iceberg of problems with cybersecurity in the education sector. Without proper and prompt recourse, learning institutions, platforms, and organizations are not safe from the scourge of cyber-attacks.
Importance of Cybersecurity in Educational Institutions and Best Practices for Continued Safety
Cybersecurity is not always a priority within many sectors – especially the education sector. While schools rush to evolve their IT infrastructure, many forget to elevate the cybersecurity systems that protect it. This leaves a vulnerable and lucrative gap for hackers to take advantage of. These institutions and platforms safeguard the data of children, teachers, and parents – whether it be academic, personal, medical, or anything more. That places the responsibility for that data on their organizations.
Fortunately, we’ve put together some of the best practices for organizations, students, and teachers to abide by to ensure a robust cybersecurity posture. Fox News has also put together a list of recommendations for customers specifically dealing with the aftermath of the PowerSchool data breach. These are some of the steps you can take to protect your data from being breached:
- Monitoring accounts regularly and ensuring that your balance remains the same. Keep an eye on any transactions you may not have approved of and be wary of any notifications from your bank or changes to your account.
- Go straight to freeze. If you’re uncertain about the safety of your banking cards, ask your bank to freeze all transactions to be safe.
- Utilize identity theft protection services. These are being provided by PowerSchool for those affected and will alert you about suspicious activity and provide support if your identity is stolen.
- Enabling Two-Factor Authentication (2FA). As an overall precaution, 2FA - or MFA – should be enabled across all your devices anyway. This adds a layer of security to verify your identity when accessing accounts of different devices.
- Be wary of phishing links and suspicious attachments. Most hackers will find their way into a network through poor cyber hygiene practices so always keep an eye out for phishing scams, social engineering attacks, and malware attachments.
- Implement a zero-trust system with access control. This ensures that every login requires a password and verification.
- Invest in superior cybersecurity platforms and technologies. Try to use the latest antivirus software and infrastructure to prevent, detect, and mitigate cyber threats in real-time.
It’s a lot easier for educational institutions and companies to maintain accurate, advanced, and elevated cybersecurity when you invest in a leading platform. Sangfor Technologies offers a variety of innovative and integrated cybersecurity solutions and infrastructure that will revolutionize your organization. Don’t be the next data breach headline in the news and invest in enhanced security that understands evolving cyber threats and how to stop them. Contact Sangfor Technologies today or visit www.sangfor.com for more information.
